Title

User rights assignments must meet minimum requirements. (Cat II impact)

Discussion

Inappropriate granting of user and advanced user rights can provide system, administrative, and other high level capabilities not required by the normal user.

Check Content

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. Compare the User Rights to the following list. If any groups or accounts are given rights that are not authorized below, this is a finding. Access this computer from the network - Administrators, Users Act as part of the operating system - See separate vulnerability V-1102 Adjust memory quotas for a process - Administrators, Local Service, Network Service Allow log on locally - Administrators, Backup Operators Allow log on through Terminal Services - (None) Backup files and directories - Administrators, Backup Operators Bypass traverse checking - Users Change the system time - Administrators, Local Service Create a pagefile - Administrators Create a token object - (None) Create global objects - Administrators, Service Create permanent shared objects - (None) Debug programs - See separate vulnerability V-18010 Deny access to this computer from the network - See separate vulnerability V-1155 Deny log on as a batch job - See separate vulnerability V-26483 Deny log on as a service - See separate vulnerability V-26484 Deny log on locally - See separate vulnerability V-26485 Deny log on through Terminal Services - See separate vulnerability V-26486 Enable computer and user accounts to be trusted for delegation - (None) Force shutdown from a remote system - Administrators Generate security audits - Local Service, Network Service Impersonate a client after authentication - Administrators, Service Increase scheduling priority - Administrators Load and unload device drivers - Administrators Lock pages in memory - (None) Log on as a batch job - (None) Log on as a service - Network Service Manage auditing and security log - "Auditor’s" Group (Exchange Enterprise Servers Group on Exchange Servers) Modify firmware environment values - Administrators Perform volume maintenance tasks - Administrators Profile single process - Administrators Profile system performance - Administrators Remove computer from docking station - Administrators Replace a process level token - Local Service, Network Service Restore files and directories - Administrators, Backup Operators Shut down the system - Administrators Synchronize directory service data - not applicable Take ownership of files or other objects - Administrators Documentable Explanation: Some applications require one or more of these rights to function. Any exception needs to be documented with the IAO. Acceptable forms of documentation include vendor published documents and application owner confirmation.

Fix Text

Configure User Rights as listed below to prevent groups or accounts from having unauthorized rights. Access this computer from the network - Administrators, Users Act as part of the operating system - See separate vulnerability V-1102 Adjust memory quotas for a process - Administrators, Local Service, Network Service Allow log on locally - Administrators, Backup Operators Allow log on through Terminal Services - (None) Backup files and directories - Administrators, Backup Operators Bypass traverse checking - Users Change the system time - Administrators, Local Service Create a pagefile - Administrators Create a token object - (None) Create global objects - Administrators, Service Create permanent shared objects - (None) Debug programs - See separate vulnerability V-18010 Deny access to this computer from the network - See separate vulnerability V-1155 Deny log on as a batch job - See separate vulnerability V-26483 Deny log on as a service - See separate vulnerability V-26484 Deny log on locally - See separate vulnerability V-26485 Deny log on through Terminal Services - See separate vulnerability V-26486 Enable computer and user accounts to be trusted for delegation - (None) Force shutdown from a remote system - Administrators Generate security audits - Local Service, Network Service Impersonate a client after authentication - Administrators, Service Increase scheduling priority - Administrators Load and unload device drivers - Administrators Lock pages in memory - (None) Log on as a batch job - (None) Log on as a service - Network Service Manage auditing and security log - "Auditor’s" Group (Exchange Enterprise Servers Group on Exchange Servers) Modify firmware environment values - Administrators Perform volume maintenance tasks - Administrators Profile single process - Administrators Profile system performance - Administrators Remove computer from docking station - Administrators Replace a process level token - Local Service, Network Service Restore files and directories - Administrators, Backup Operators Shut down the system - Administrators Synchronize directory service data - not applicable Take ownership of files or other objects - Administrators Document any exceptions with the IAO.

Additional Identifiers

Rule ID: SV-1103r3_rule

Vulnerability ID: V-1103

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.